Exam Audits Zero In on Cybersecurity

Whether they're from the SEC or FINRA, examiners visiting advisors and brokers are going to want to hear about how the firm is protecting client data and its information systems.

In a panel discussion at FINRA's recent annual conference, Hardeep Walia, co-founder and CEO of online broker Motif Investing, recalled a recent audit of his firm from the industry regulator, which was followed immediately by an SEC exam. "The focus of both was cybersecurity," he says.

"Your next audit, I bet you anything cybersecurity's going to come up. And it's not just FINRA, it's the SEC," Walia says. "If you're going to make it through your next audit cycle, it will be a focus."

Both sets of examiners were more interested in the policies and procedures in place to safeguard their digital infrastructure than the specific technical defenses in place, though the SEC examiners went to the extent of reviewing the firm's log data, Walia says.

The emphasis on process is typical of examiners, according to Allan Goldstein, who heads up compliance, operations and finance at Trade Informatics.

"That's where it all starts. FINRA doesn't have a rule set that covers cybersecurity, but they identify your written policies and procedures around cybersecurity as the place to go if there's a problem," Goldstein says, emphasizing the importance of documenting the firm's security protocols. "You might have that program in place, but it is important to get that written policy."

That cybersecurity is at the top of the regulators' list of concerns is hardly a surprise. The SEC and FINRA have identified online threats and data breaches in their annual letters detailing their exam priorities, and earlier this year both regulators published reports detailing the findings of the sweep exams focusing on security that each conducted.

Industry officials note the rapid rise in the number of third-party vendors specializing in cybersecurity, though panelists at FINRA's conference recommended that advisors do their homework in shopping for a provider, and, at a minimum, partner with a security firm with experience in the financial-services industry.But even if a firm opts to outsource some of the technical aspects of their information systems, it should still have a designated individual within the practice to oversee cybersecurity and serve as a resource, according to Lisa Roth, president of the consulting firm Monahan and Roth.

"It's really important to have a go-to person not just for supervisory purposes, but for training purposes," Roth says. "Somebody's got to take control at the company."

AWARENESS A MUST

Panelists observe that firm leaders must also make cybersecurity awareness a priority throughout the practice, suggesting that they establish ongoing training programs and make security a frequent topic of discussion in internal meetings. Those efforts can provide an opportunity to address some of the non-technical aspects of information security that experts say continue to constitute one of the greatest vulnerabilities.

"From a cultural standpoint, everyone's got to be on board with this," Goldstein says.

Walia singles out weak passwords (e.g., "password" or "123456") as a particular point of frustration, especially when employees use the same poor password for multiple accounts.

"Any hacker worth their keyboard can get into this in seconds. So, when we look at the reality, the state of the union is horrible," he says. "In this world that we're in it's just inexcusable now."

In addition to the mounting regulatory scrutiny, advisor shops -- particularly small ones -- could face disastrous consequences if a major data breach compromises their clients' sensitive information.

"As small firms, most of us can't afford to be hurt reputationally, because that's how you build your business," Goldstein says.

"That's a really bad headline," Roth adds.

As high as the stakes are, cybersecurity can be a daunting challenge, and leaders at small firms commonly say that they lack the resources or technical expertise to develop a thoroughgoing program. Even knowing where to start can be a tall order.

Fortunately, some government and industry officials appreciate the difficulty of the task, and have developed resources to help firms get started. Roth points to helpful guidance

from SIFMA, including a list of action items such as password tips, limiting administrative privileges, website filtering and regularly backing up data.

She also suggests that firms take a look at the cybersecurity framework developed by the National Institute of Standards and Technology, or NIST, a unit of the Commerce Department.

That document, which intends to serve as a template for businesses across industries to formalize their cyber defenses, identifies five core functions, beginning with identifying the current state of their security situation, including an assessment of the employees that can access different levels of company data and the devices running on the network.

NIST's framework then offers tips for protecting systems and data, early detection of security incidents, and response and recovery.

"It's a great place to start," Roth says of the guidance offered by SIFMA and NIST. "If you have a program in place you can test your team to these resources."